The relationship between two flavors of oblivious transfer at the quantum level 
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Though all-or-nothing oblivious transfer and one-out-of-two oblivious transfer are equivalent in 
classical cryptography, we here show that due to the nature of quantum cryptography, a protocol 
built upon secure quantum all-or-nothing oblivious transfer cannot satisfy the rigorous definition of 
quantum one-out-of-two oblivious transfer. 
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I. INTRODUCTION 

Mystery of quantum cryptography has long intrigued 
scientists. On one hand, several cryptographic tasks such 
as the quantum conjugate coding [lj and the well-known 
quantum key distribution |2j, y, |^ have made great suc- 
cesses. They achieved theoretically unbreakable security 
which can never be reached by their classical counter- 
parts. But, on the other hand, some no-go theorems 
were established, indicating that quantum cryptography 
is not always powerful for any task. In particular, the 
MLC no-go theorem (3, El rules out the possibility of non- 
relativistic unconditionally secure quantum bit commit- 
ment (QBC), and the Lo's insecurity proof of one-sided 
two-party quantum secure computations Q indicates that 
one-out-of-two oblivious transfer is impossible either. 

Oblivious transfer (OT) is an important concept found 
to be veryuseful in designing multi-party cryptography 
protocols[8|. There are two major flavours of OTs. The 
original oneQ, is simply known as oblivious trans- 
fer, while sometimes can also be called all-or-nothing 
OT. Another related notion was proposed later, which 
is called one-out-of-two OT[lO|. In classical cryptogra- 
phy, it was shown that these two are computationally 
equivalent Essentially, a protocol was presented in 
Ref.[Tll| to illustrate that secure all-or-nothing OT can 
lead to secure one-out-of-two OT. Furthermore, it was 
believed that secure one-out-of-two OT can lead to se- 
cure BC0. This standard classical reduction chain re- 
veals the connection between the security of OT and BC 
protocols in the classical level. 

Very recently .a quantum all-or-nothing OT protocol 
was developed [l^. This OT does not rigorously sat- 
isfy the requirement of one-sided two-party quantum se- 
cure computation protocols, on which the Lo's insecurity 
proof was based. Thus it could remain unconditionally 
secure against the cheating strategy in the Lo's proof. 
Nevertheless, at the first glance, this result would con- 
flict with the Lo's conclusion and in turn with the MLC 
no-go theorem (i.e., secure quantum one-out-of-two OT 
and QBC would be possible) if the mentioned standard 
classical reduction were justified. 



More intriguingly, it has also been realized that "re- 
ductions and relations between classical cryptographic 
tasks need not necessarily apply to their quantum 
equivalents" |13| . Indeed, it will be shown in this pa- 
per that once we intend to build an one-out-of-two OT 
protocol on a secure quantum all-or-nothing OT proto- 
col with the method developed in Ref.|lll|. it is impos- 
sible that the resultant protocol can satisfy the rigorous 
definition of one-out-of-two OT on which the Lo's proof 
was based. In this sense, secure quantum all-or-nothing 
OT does not imply secure quantum one-out-of-two OT, 
i.e. the above classical reduction chain is broken in the 
present quantum cryptography case. As a result, there 
exists no logic conflict between the existence of secure 
quantum all-or-nothing OT protocol and the MLC no-go 
theorem of QBC. 

The paper is organized as follows. In the next two sec- 
tions, the definitions of two flavors of OTs will be stated 
precisely and a brief review on their classical equivalence 
will be presented. The relationship between these OTs 
in the quantum level will be revealed in the section IV, 
and how it is related to the cheating strategy in the Lo's 
proof will be studied in the section V. In the section VI, 
it will be indicated that the breaking of the reduction 
chain is not simply a matter of the definition, rather it 
is originated from the nature of quantum cryptography 
itself. 



II. DEFINITIONS 

Let us first state precisely the definitions of different 
OTs on which the discussion in this paper is based. In 
Ref.^J where the classical equivalence between these 
OTs was proven, the definitions of all-or-nothing OT and 
one-out-of-two OT were summarized as: 

Definition A: all-or-nothing OT 
(A-i) Alice knows one bit b. 

(A-ii) Bob gets bit b from Alice with probability 1/2. 

(A-iii) Bob knows whether he got b or not. 

(A-iv) Alice does not know whether Bob got b or not. 
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Definition B: one-out-of-two OT 
(B-i) Alice knows two bits 60 and b±. 
(B-ii) Bob gets bit bj and not bj with Pr(j = 0) = 
Pr(j = 1) = 1/2. 

(B-iii) Bob knows which of 60 or &i he got. 
(B-iv) Alice does not know which bj Bob got. 

In the Lo's insecurity proof of one-sided two-party 
quantum secure computations 0, a more rigorous defi- 
nition of one-out-of-two OT was specifically introduced 
as: 

Definition C: rigorous one-out-of-two OT 
(C-i) Alice inputs i, which is a pair of messages 
(mo, mi). 

(C-ii) Bob inputs j = or 1. 

(C-iii) At the end of the protocol, Bob learns about 
the message rrij, but not the other message mj, i.e., the 
protocol is an one-sided two-party secure computation 
/(mo, mi, j = 0) = mo and /(m ,mi, j = 1) = mi. 

(C-iv) Alice does not know which mj Bob got. 

Meanwhile, the definition of one-sided two-party quan- 
tum secure computations used in the Lo's proof reads 

Definition D: one-sided two-party secure computation 
Suppose Alice has a private (i.e. secret) input 
i G {1,2, ...,n} and Bob has a private input j S 
{1,2,..., to}. Alice helps Bob to compute a prescribed 
function f(i,j) £ {1,2, in such a way that, at the 

end of the protocol: 

(a) Bob learns f(i,j) unambiguously; 

(b) Alice learns nothing [about j or f(i,j)}; 

(c) Bob knows nothing about i more than what logi- 
cally follows from the values of j and f(i,j). 

Obviously, Definition C is a special case of Definition 
D. In Ref. Ml it is proven that any protocol satisfying 
Definition D is insecure. Therefore as a corollary, there 
should not exist a secure quantum one-out-of-two OT 
protocol which satisfies Definition C rigorously. 

III. CLASSICAL EQUIVALENCE 

The proof of the classical equivalence between the two 
flavors of OTs is provided in Ref. [T^j ■ The major part of 
the proof is the following procedure, showing how secure 
one-out-of-two OT can be implemented upon secure all- 
or-nothing OT. 

Protocol P: 

(1) Alice and Bob agree on a security parameter s; 

(2) Alice chooses at random Ks bits r\,r%, ...,r^ s ; 

(3) For each of these Ks bits Alice uses the all-or- 
nothing OT protocol to disclose the bit to Bob; 

(4) Bob selects U — 12, i as } and V — 
{i a ,+i, ia s +2, i2a s } where a s = Ks/3 with U n V = 
and such that he knows rfc, for each fc; £ U; 



(5) Bob sends {X,Y) = (U,V) or (X,Y) = (V, U) to 
Alice according to a random bit j; 

(6) Alice computes c = r x and c% = r y ; 

(7) Alice returns to Bob bo ffi Co and 61 © c\\ 

(8) Bob computes r u 6 {co,ci} and uses it to get 

ueu 

his secret bit bj. 

IV. RELATIONSHIP AT THE QUANTUM 
LEVEL 

Though the two definitions of one-out-of-two OT (Def- 
initions B and C) seem to be consistent with each other, 
we here will show that, in the quantum level, if a secure 
quantum all-or-nothing OT protocol satisfies Definition 
A and can be used as a "black box" , a Protocol P built 
upon it via the above procedure does not satisfy Defini- 
tion C rigorously, though it satisfies Definition B. 

The deviation from Definition C lies in (C-i) and (C- 
iii). Consider Alice's input i in Protocol P. In the step 
(7) of the protocol, we can see that i includes not only 
the secret bits bo and bi, but also Co and c\. The steps 
(5) and (6) shows that Co and c\ not only depend on 
Alice's input ri,7"2, ...,ri<- s , but also depend on how Bob 
selects X, Y, U and V, i.e. they depend on Bob's input j. 
Therefore, Protocol P cannot be viewed as a "black box" 
function /(i(mo, mi), j), where i and j are the private 
inputs of Alice and Bob respectively. Instead, it has the 
form /(i(too, toi, j), j), where Alice' input will be varied 
according to Bob's input, and its value is not determined 
until Bob's input has been completed. That is, Protocol 
P does not rigorously satisfy Definition C, nor Definition 
D as the description of the function / is different. 

Though the difference seems tiny at the first glance, its 
consequences are significant at the quantum level. This 
can be seen from two aspects: 

(I) The con side: Protocol P cannot be used as a black 
box since the sequence of the participants' inputs is im- 
portant, i.e. we have to deal with the details of the pro- 
tocol when it is used to build other protocols. As argued 
in the introduction of Ref. jjj , to ensure that the standard 
classical reduction can apply to quantum cryptographic 
protocols, "one must be allowed to use a quantum crypto- 
graphic protocol as a 'black box' primitive in building up 
more sophisticated protocols and to analyze the security 
of those new protocols with classical probability theory" . 
Therefore the above character of Protocol P make it un- 
suitable to be used as a rigorous quantum one-out-of-two 
OT to connect the reduction chain between quantum all- 
or-nothing OT and QBC. Other applications of Proto- 
col P in quantum cryptography may also have a limited 
power. 

(II) The pro side: Protocol P is not covered by the 
cheating strategy in Ref.]jj for the following reason. 
According to the strategy, Bob can change the value 
of j from ji to J2 by applying a unitary transforma- 
tion to his own quantum machine. Therefore he can 
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learn f(i(rno,Tni),ji) and /(i(mo,mi),j2) simultane- 
ously without being found by Alice. However, for the 
function f{i(m ,mi,j),j), the value f(i(m ,m 1 ,j 1 ),j 2 ) 
is meaningless. Without the help of Alice, Bob cannot 
change i from z(mo,mi,ji) to i(mo,mi, j 2 ). Hence he 
cannot learn f(i(m , mi, ji), ji) and f(i(m , mi, j 2 ), j 2 ) 
simultaneously by himself. Namely, though the cheating 
strategy works for any protocol satisfying Definition D, 
it does not work for Protocol P. 

On the other hand, though Co and c± depend on Bob's 
input j, from the protocol it can be seen clearly that they 
are insufficient for Alice to learn the value of j. Thus 
Protocol P is still secure against Alice. In this sense, the 
relaxed definition of one-out-of-two OT (Definition B) is 
satisfied. 



V. DEFEATING THE CHEATING STRATEGY 

In this section, the above conclusion (II) will be rig- 
orously proven. For convenience, let us first recall the 
cheating strategy in the Lo's proof in more details. Ac- 
cording to the section III of Ref. Q , in any protocol sat- 
isfying Definition D, Alice and Bob's actions on their 
quantum machines can be summarized as an overall uni- 
tary transformation U applied to the initial state \u) in € 
Ha <8> H B , i.e. 



\u) f . =U\u)- . 

I /fin I tin 



(i) 



When both parties are honest, \u h ) i 



fin 



\vij) = U{\i) A ®\j) B ) 



A ® li) B and 

(2) 



Therefore the density matrix that Bob has at the end of 
protocol is 



Tr A \vi 



(3) 



Bob can cheat in this protocol, because given ji , j 2 G 
{1, 2, to}, there exists a unitary transformation U J1 ' J2 
such that 



-i = p i,h 



(4) 



for all i. It means that Bob can change the value of 
j from ji to j2 by applying a unitary transformation 
independent of i to the state of his quantum machine. 
This equation is proven as follows. 

Alice may entangles the state of her quantum machine 
A with her quantum dice D and prepares the initial state 



I A ■ 



(5) 



She keeps D for herself and uses the second register A 
to execute the protocol. Suppose Bob's input is j\. The 
initial state is 



4=I>>^ \^a® lit) 



(6) 



At the end of the protocol, it follows from Eqs.Q and 
© that the total wave function of the combined system 



D, A, and B is 



K) in = 4EI')o® U ^a ® b'i> B ). (7) 

v i 

Similarly, if Bob's input is j 2 , the total wave function at 
the end will be 

K) in = ^J2 ® U ^)a ® \h) B )- ( 8 ) 

Due to the requirement (b) in Definition D, the reduced 
density matrices in Alice's hand for the two cases j = ji 
and j = j 2 must be the same, i.e. 



pfr e = Tr B \v n ) (v h \ = Tr B \v n ) (v h \ = pf 2 1 ^. (9) 

Equivalently, {v^) and \vj 2 ) have the same Schmidt de- 
composition 



K> = J2a k \a k ) AD ® \p k ) } 



and 



u J2l 



J2a k \a k ) AD ® \0' k ) 



(10) 



(11) 



Now consider the unitary transformation CP 1 J2 that ro- 
tates \Pk) B to \P' k ) B - Notice that it acts on H B alone 
and yet, as can be seen from Eas. (|10J) and (H) , it rotates 
\v n ) to \v j2 ), i.e. 



Since 



\v h ) = U^\v jl ). 



D{1 \Vj) = ~r=\V l3 ) 



(12) 



(13) 



[see Eqs.©, 0, and ©], by multiplying Eq.flT^) by D (i\ 

on the left, one finds that 



\v ih )=W^\ Vijl ) 



(14) 



Taking the trace of \vij 2 ) ( v ij 2 \ over Ha an d using 
Eq.{Tl|), Eq.Q can be obtained. 

Note that all these equations are just those presented 
in the Lo's proof 7]. We now consider Protocol P, where 
Alice's input i is dependent of Bob's input j. In the above 
proof, all i in the equations should be replaced by 
from the very beginning. Consequently, Ea. (|13|) becomes 



1 



\ v mi) 



(15) 



In this case multiplying Eq. i(T2|) by d (*2| {h = for 
short) on the left cannot give Eq. 114|l any more. Instead, 
the result is 



\v l2J2 ) = u^u^ K U1 ), 



(16) 
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where JJ tl,t2 =r> Then Eq.Q is replaced by 

Uh,hijii,i2 p h,h (jjiuhfjiu-hyi = p i2,j 2 ( 17 ) 

Note that U' 11 ' 12 is the unitary operation on Alice's 
side. This implies that without Alice's help, Bob cannot 
change the density matrix he has from p ll ' J1 to p i2j2 . 
That is why Bob's cheating strategy fails in Protocol P. 

VI. ORIGIN OF THE INEQUIVALENCE 

It is valuable to find out the underlying reason why 
Protocol P does not satisfy the rigorous Definition C. 
An illusion is naturally aroused that the reason is due to 
a relaxed Definition A of all-or-nothing OT used in the 
work. However, it is not true. In fact, we never need 
to deal with the details of the all-or-nothing OT in the 
section IV; we simply use it as a black box. Even when 
the most rigorous definition of all-or-nothing OT is used, 
the discussion in that section is still valid. Thus it is 
not a matter of definition that the classical equivalence 
between the two flavours of OTs cannot rigorously apply 
to the present quantum case. 

The real origin of this result can be found in the equa- 
tions in the previous section. By comparing Eas. (|13|) 
and (|15fl . we can see that if there does not exist a system 
D, Protocol P will become insecure too. That is, if Al- 
ice does not introduce the quantum system D in Eq.Q, 
Protocol P will show no difference from the protocols 
satisfying Definition D. In classical cryptography, Alice 
surely does not have such a system. That is why the two 
flavors of OTs seem equivalent. In quantum cryptogra- 
phy, if Alice does not make full use of the computational 
power but simply executes the protocol with the quan- 
tum system A alone, she cannot defeat Bob's cheating 
either. The difference between Protocol P and a rigor- 
ous one-out-of-two OT can only be manifested when the 



protocol is indeed executed at the quantum level. In this 
sense, the underlying origin is the nature of quantum 
cryptography itself. 



VII. DISCUSSIONS AND SUMMARY 

It has been shown that though one-out-of-two OT can 
be built upon all-or-nothing OT in classical cryptogra- 
phy, a Protocol P built upon a secure quantum all-or- 
nothing OT protocol via the same method cannot sat- 
isfy the rigorous Definition C of quantum one-out-of-two 
OT. Considering that a secure quantum all-or-nothing 
OT protocol was already established which is not 
denied by the Lo's insecurity proof of the one-sided two- 
party secure computations Q because it does not satisfy 
the requirement on which the proof is based, it seems un- 
likely that such a protocol can lead to another protocol 
satisfying the requirement. Furthermore, if a secure pro- 
tocol satisfying the rigorous definition of quantum one- 
out-of-two OT existed, it would be used as a black box 
primitive to implement secure QBC according to Ref.Q, 
conflicting with the MLC no-go theorem. On the con- 
trary, it is more logically consistent that no other method 
is available to build a rigorous quantum one-out-of-two 
OT protocol upon quantum all-or-nothing OT. That is, 
the two flavors of OTs should not be rigorously equivalent 
in quantum cryptography. 

Though the profound understanding of the exact rela- 
tionship between the two flavors of OTs at the quantum 
level is still awaited, at least, one thing is clearly elab- 
orated in this work: the classical equivalence between 
these OTs cannot be directly applied to quantum cryp- 
tography. This finding provides yet an intriguing exam- 
ple demonstrating that reductions and relations between 
classical cryptographic tasks need careful re-examination 
in quantum cases. 
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